September's NoticeBored awareness content will take a back-to-basics look at information risk and security, with an update to the Infosec 101 module.
So what are the basics?
We probably ought to, at some point, introduce the fundamental concepts, principles and approaches such as:
- Risk and control, both in general and in the context of information;
- Governance, management and compliance;
- The process of identifying, assessing and treating information risks;
- CIA (confidentiality, integrity and availability) requirements; and
- Various types or categories of security control (e.g. preventive, technical).
- Access controls;
- Assurance and trust;
- Backups, resilience and business continuity;
- Firewalls and network security;
- Malware controls;
- Monitoring and oversight;
- Passwords, identification and authentication;
- Patching and system security;
- Policies and compliance;
- Physical security; and
- Awareness (naturally).
Hey, the module is almost writing itself! Pepper the materials with a bunch of everyday examples of information security incidents, breaches and compromises and Bob's your uncle!
Errrr, in case you missed it, I'm being cynical. For a start explaining all that lot above would certainly take a while. Scratch beneath the surface and it gets quite complex and drags on ... which would be a problem in, say, a short employee induction or security orientation session.
There's a risk of losing or boring the audience ... and that's another thing: 'the audence' is not a homogeneous blob. NoticeBored's three parallel streams of awareness content cater for staff in general, managers and professionals/specialists, but those are fairly crude distinctions.
Yet another factor is the organizational context. Our military or governmental clients are in a markedly different situation to, say, those in IT services, finance, healthcare, education, retail or charity. Within each of those industry sectors, some clients are more mature than others. In some organizations, the infosec awareness people would be grateful for awareness opportunities lasting literally just a few minutes. In those with a strong security culture, a few hours on this topic may be feasible.
All in all, it's far from simple to even specify, let alone create, back-to-basics security awareness content. There's clearly a distinct risk of complexity creeping in.
One solution might be to cut back savagely on the more advanced aspects - for instance, "passwords, identification and authentication" could become just "passwords". That would work for the staff stream for some clients, but not all. Dropping I&A makes me uncomfortable as an infosec pro. The same concern applies in, say, "access control".
Another option would be to focus on the fundamental concepts and axioms that underpin information risk and security management, ignoring the actual controls altogether: conceptual theories might suit the professional stream but would fly way over the heads of most workers. I can picture the eyelids drooping as I complete this sentence!
So, that's where we are today. As always, I'll be updating the blog most days as the work proceeds. It will be interesting (for me at least!) to see how we surmount the challenge. Do tag along for the ride.
[By the way, the comments are open. How would you tackle this? I'd love to hear from you. Bright ideas are very welcome. Email me if you are shy.]